Wednesday, November 11, 2020

Security - High security standards guarantee you a carefree store administration

Smartstore regularly tests the code of the core application for security vulnerabilities. We work with security researchers, project managers and developers to prevent new security vulnerabilities from entering Smartstore.

Patches for bugs and security problems are made available to customers in a timely manner. Various vulnerability assessment tools and external vendors are used to test and verify compliance. The complete code base is regularly scanned with these tools.

We also work with GitHub Security Lab to identify affected repositories early and make Smartstore secure. However, if you have found a vulnerability in Smartstore, please let us know immediately.

The most important reason to protect your online store is that you need to protect your customer data as well.

These tools ensure a secure operation for your Smartstore online store

Granular rights management (ACL) via tree structure and Menu control (Menu Builder) via customer groups

The rights management (ACL) in Smartstore allows a very fine assignment of rights. Rights are assigned and controlled in a tree structure in the visual editor. Differentiated rights allow a very precise person- and role-specific assignment of rights over customers and customer groups. Customer groups can be used to control menus, controls, pages, product groups and products. Via the rights management, employees are only given the rights they need.

ACL is helpful in ensuring that no one makes changes in areas which are not their responsibility. ACL can also be used to control external, automated access via Web-API very precisely.

The "ACL" feature is a proprietary development of Smartstore AG for the Smartstore e-commerce software and is already included in the Community Edition.

The Smartstore Menu Builder and CMS page navigation

The Smartstore Menu Builder is a visual manager for all types of menus. It allows you to seamlessly embed your own CMS pages into existing menus or simply into a new menu structure, at any position, without programming a single line. All menu items, i.e. existing system menus and also self-created menu items, can be restricted by rights management. Discover the new look of Smartstore in a new way!


  • Improved user experience through professionally designed menu
  • Easy content marketing by inserting new content into existing store navigation
  • Generally better usability
  • Contents, sub-menus and menu structures can be displayed for specific target groups

Display and hide content in a target group oriented way via customer groups

The limitation to customer groups allows the store administrator to restrict access to products, categories, CMS pages and others based on user groups. In a way, the administrator can create a private area for each user group, where only pages and products assigned to that group are displayed.

The following elements can be restricted by customer groups:

  • Product groups
  • Products
  • Discounts
  • Manufacturers/Brand
  • Pages
  • Menus or individual menu items

The rights management via customer groups is a very powerful yet easy to use feature. The store admin has the flexibility to provide customer groups with their own areas by restricting products, product groups, individual CMS pages and menus. This way, a big customer can be shown only products in suitably large bundles, or directly a separate page with special products only for this customer.

The "customer groups" feature is a proprietary development of Smartstore AG for the Smartstore e-commerce software and is available starting with the Community Edition.

Encryption of sensitive data using a private key

Encryption using a "private key" is an encryption process in which sensitive data is encrypted and decrypted using a key, in this case a series of numbers. Smartstore uses this very secure method for sensitive data such as passwords, credit cards and bank details. "Private" means that the key may not be passed on or published under any circumstances.

reCAPTCHA on all interactive pages

Google reCAPTCHA protects your website from fraud and abuse

Google reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to prevent malicious software from performing abusive activities on your website. Meanwhile, legitimate users can log in, make purchases, view pages or create accounts, and fake users are blocked.

The reCAPTCHA benefit

  • Proven: reCAPTCHA has been a leader in bot mitigation for over a decade
  • Customer-friendly: A seamless fraud detection service that stops bots and other automated attacks while authorizing valid users
  • Adaptive: reCAPTCHA's risk-based bot algorithms apply continuous machine learning that considers every customer and bot interaction in order to overcome the binary heuristic logic of traditional challenge-based bot detection technologies

Further use cases

  • Scraping: theft of content to redirect advertising revenue or for competitive use
  • Fraudulent transactions: Purchase of goods or gift cards with stolen credit cards
  • Account Transfers (ATO): filling in credentials to validate stolen accounts
  • Synthetic accounts: Creation of new accounts for advertising value or future abuse
  • False contributions: Publication of malicious links or distribution of false information
  • Money laundering: Bot generated ad click revenues on fraudulent websites


Cyber attacks are increasing significantly. DoS or DDos attacks are a threat for e-commerce. More and more online stores are paralyzed in this way temporarily. Fake customer accounts are also often created, for example to place spam in ratings. Much more dangerous, however, are direct hacker attacks by hundreds or thousands of bots simultaneously. The Geo-Blocker protects your Smartstore online store from these bots.

Overview of functions

  • Smartstore Geo-Lock technology detects the exact location of visitors
  • Access restriction due to geo-location and/or IP addresses
  • Definition of IP addresses with value ranges
  • Exception rule for registered customers

The Smartstore "Geo-Blocker" Plugin is a proprietary development of Smartstore AG for the Smartstore e-commerce software and is included in the Smartstore Premium Flat,  in addition, the plugin can be purchased via the Smartstore Marketplace.

SSL Support

SSL or TLS is an encryption protocol for secure data transmission on the Internet. The encryption is realized by certificates or so-called keys. SSL encryption ensures that confidential information such as credit card numbers, social security numbers and log-in data is transmitted securely. Without SSL encryption, the data is exchanged from the web server to the browser and vice versa in plain text, making it easy for attackers to spy on the data.

The SSL feature is included in all Smartstore E-Commerce Editions starting with the free Community Edition.

Security checklist for your Smartstore online store

Software updates bring you not only new features, but also bug fixes and the elimination or removal of vulnerabilities. For this reason it is extremely important to use the currently available software versions. It works for both Smartstore and the server software.

You can't protect yourself 100% against hackers, but there is a certain way to feel safer: Regular backups can save you from many problems. Save regular backups, don't even try to save them on the same server as the original website, and regularly restore your copies to a sandbox to make sure they work properly. Having your backup files on the same server as the original website is not only unsafe because you need your copy to be safe in case your server crashes, but also because a hacker who gains access to your server will get their hands on it.

Did you know that 123456 was the most popular password? The administrator password is the latest state of your Smartstore security. Simple passwords can be brutally enforced. So use more than 10 characters, including upper and lower case letters, as well as special characters like $%! # ^ . This way your password will not be hacked, as it will take even modern devices years to find a match.

In fact, this Smartstore security issue works with any password-protected data you have. According to, more than 15% of users choose identical passwords for more than one service. Too many people don't realize that using identical passwords for multiple logins actually carries the risk of losing all your accounts at once.

A significant part of Trojan software steals stored passwords. You must be careful with FTP clients and browsers, as passwords are more often stolen through these applications. Never store passwords with this software without the master password (a password that encrypts the rest of the passwords and also stores the credentials). Ignoring this warning can lead to data leakage when logging in.

Passwords should not be lifelong. We recommend changing passwords every 3-6 months. Even if your passwords have been leaked (and even if the hacker didn't use them), regular changes will render the previously leaked data useless. Make sure that passwords are changed for everyone who uses the site.

Set up a firewall to deny public access to everything but the web server. If you do not have a permanent IP address to access it through the firewall, use a VPN or port knocking technology. You can also install a web application firewall (e.g. Naxsi) to protect your store from SQL injections.

Regularly monitor the Smartstore web server logs and check for errors or suspicious activity.

If you use a public hotspot in a café or shopping mall, there is a risk that you will be attacked. To avoid this, use secure connections for authorization. To use SSL, you do not even have to buy a certificate! Just generate a self-signed certificate and make it a trusted one in your browser.

The FTP protocol was created when the Internet was born, and security was not the problem at that time. Nowadays, the use of FTP is highly undesirable, since authorization is done with plain text and can be easily intercepted. Use the SFTP protocol, as it also frees you from problems with IP streaming (NAT), as not everyone has a public IP for Internet use. Follow these instructions to configure SFTP for Smartstore.

Use trusted antivirus software and update it regularly to the latest version as they add new information about new scumware to their databases daily. This increases your privacy and protects you from malware that steals information and sends it to hackers.

Protect yourself from hacker attacks and unnecessary load on your server. Use e.g. the Smartstore Geo-Blocker Plugin.

Leave your comment